Saturday, December 31, 2005

"New exploit released for the WMF vulnerability - YELLOW"

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System

"On New Year's eve the defenders got a 'nice' present from the full disclosure community.

The source code claims to be made by the folks at metasploit and xfocus, together with an anonymous source.

Note: We have been able to confirm that this exploit works. We are in the process of getting information to AV vendors ASAP. We can also confirm that having the file and simply opening the directory can be enough to get the exploit running.

The exploit generates files:

* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer

From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the IDS signatures for the previous versions of the WMF exploits work for this next generation.

Judging from the source code, it will likely be difficult to develop very effective signatures due to the structure of the WMF files.


..."


Like everyone has been saying, the current WMF vulnerability is frickin hairy.

Happy New Year... :|

(via Microsoft Most Valuable Professional [Harry Waldron] : New WMF Exploit version emerges - ISC returns to Yellow alert)

Related Past Post XRef:
WMF Day 2

No comments:

Post a Comment

NOTE: Anonymous Commenting has been turned off for a while... The comment spammers are just killing me...

ALL comments are moderated. I will review every comment before it will appear on the blog.

Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...

I reserve, and will use, the right to not approve ANY comment for ANY reason. I will not usually, but if it's off topic, spam (or even close to spam-like), inflammatory, mean, etc, etc, well... then...

Please see my comment policy for more information if you are interested.

Thanks,
Greg

PS. I am proactively moderating comments. Your comment WILL NOT APPEAR UNTIL I approve it. This may take some hours...